SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

INTERNET STORM CENTER TECH CORNER

Splunk named a leader in the Forrester Wave: Security Analytics Platforms, Q1 2017. To assess the state of the security analytics (SA) market and see how vendors stack up against each other, Forrester evaluated the strengths and weaknesses of top SA vendors. Register for a complimentary copy to discover why. http://www.sans.org/info/194260
****************************************************************************

TOP OF THE NEWS

Company Sues Former Employee Over Logic Bomb
(April 13 & 14, 2017)

Allegro MicroSystems in Massachusetts is suing a former employee for allegedly planting a logic bomb in a financial database. Nimesh Patel began working at Allegro in 2002 and resigned on January 8, 2016. Court documents allege that Patel used an unreturned company-issued laptop and another employee's credentials to access the company's network on January 31, 2016, when he planted the logic bomb. It was scheduled to activate on April 1, the first day of the company's financial year. The sabotage was detected on April 14, and within two weeks, the logic bomb code was found.

[Editor Comments]

[Williams] Logic bombs are notoriously difficult to find in a network. The best defense is using good user behavior analytics (UBA) to stop the attack in the first place.

Man Admits He Broke Into Former Employer's System
(April 17, 2017)

Jason Needham has pleaded guilty to breaking into a former employer's network numerous times over a two-year period to steal proprietary information. Needham is the co-owner of an engineering company; his former employer is one of his business competitors.

[Editor Comments]

[Henry] I continue to see examples, time after time, of employees and former employees gaining access to networks they have no business being in. While constant monitoring and the deployment of appropriate tripwires can help to detect malicious insider employee activity, eliminating the access of employees once they're no longer employed is a fundamental step in information security. In this case it appears the subject accessed the email account of a former colleague over two years; had those credentials been periodically changed as they should have been (at least every 90 days), the impact of this loss could have been mitigated or entirely eliminated.

[Murray] Most separations are amicable, but, even so, all must be complete and timely. This is particularly true for privileged employees. Before granting a privilege, management must know how to effectively withdraw it at termination time. This will include controls that ensure that employees cannot expand their privileges in ways that are invisible to management. This will usually involve multi-party controls.

[Williams] If an employee leaves for a competitor, it is almost always worth the cost to get competent forensics examiners to preserve the state of the employee's work machine(s) and conduct a preliminary examination. Far too often, even the most trustworthy employees take work product with them to a competitor.

Microsoft has published a trio of policy papers in support of a Digital Geneva Convention. Two of the documents describe rules for countries and technology companies to abide by in cyberspace; the third calls for establishing an international body to attribute malicious cyberattacks. In a blog post, Microsoft president and Chief Legal Officer Brad Smith, noted that while the G7 has "published a declaration recognizing the urgent need to establish international norms for responsible nation state behavior in cyberspace," voluntary norms do not go far enough. Smith, who spoke about a Digital Geneva Convention at the RSA Conference earlier this year, wrote, "We need to... pursue a legally binding framework that would codify rules for governments and thus help prevent extraordinary damage."

[Editor Comments]

[Pescatore] The phrase "Think globally, act locally" (which came out of city planning over 100 years ago) definitely applies here. There is a real need for global norms to think of cyber weapons much the way physical weapons of mass destruction are considered. However, those norms move slooowly and never protect against rogue actors, anyway. On the cyber side, local action (especially by technology sellers, but by technology users as well) can eliminate or reduce vulnerability to the vast majority of cyber attacks. Global treaties prohibiting the use of chemical warfare would be meaningless if everyone was paying for and drinking contaminated water or eating spoiled food.

[Henry] We are well past the time where "this sounds like a good idea." The stakes for our global interconnected society are too high, and the failure to implement some framework binding on governments may be catastrophic. The time for this is now.

1) Using the Power of Artificial Intelligence to Minimize Your Cybersecurity Attack Surface. Learn More: http://www.sans.org/info/194265
2) Newly Commissioned Research Reveals Alarming Facts Around the Real-World State of Security Operations in 2017 - And What's Being Done. Register: http://www.sans.org/info/194270
3) Take the Threat Landscape Survey and enter to win a $400 Amazon gift card: http://www.sans.org/info/194275
******************************************************************************

THE REST OF THE WEEK'S NEWS

2017 National Collegiate Cyber Defense Competition
(April 17, 2017)

A team of students from the University of Maryland, Baltimore County emerged as the winner of the 2017 National Collegiate Cyber Defense Competition. Regional competitions narrowed a field of more than 230 teams to just 10 that participated in the championship round in San Antonio, Texas, last week.

VMware has fixed a critical flaw in its vCenter Server that could be exploited to execute code remotely. The vulnerability affects vCenter versions 6.5 and 6.0. Users are urged to upgrade to versions 6.5c or 6.0U3b. The security issue lies in the way BlazeDS processes AMF3 messages.

Army Reserve Wants Civilians with Cyber Skills
(April 17, 2017)

The US Army wants to better leverage the cyber skills of its reservists; a pilot program aims to catalog soldiers' talents. The military is also looking for ways to bring in National Guard and Army Reserve members with skills is certain areas, including digital forensics and crypto-analysis. One Army reservist, who has taken a leave from his private sector job to help fight ISIS on the cyber front, says he finds the work rewarding, and "the ability to participate in some way in a real mission, ... you can't find that in the private sector."

BankBot Trojan Evading Detection
(April 17, 2017)

Malware known as BankBot has been slipping past Google security measures and finding its way into the Google Play store hidden in apps. BankBot targets bank customers in several countries, including Russia, the UK, Austria, Turkey, and Germany.

Plea Change in Government Computer Hacking Case
(April 17, 2017)

An Arizona man has changed his plea in a case involving March 2015 attacks on municipal government computers in Arizona and Wisconsin. Randall Charles Tucker had earlier pleaded not guilty to charges of intentionally damaging protected computers and threatening to damage protected computers. Tucker has now pleaded guilty to intentionally damaging protected computers that interfered with communications systems used by emergency workers in Madison, Wisconsin.

Microsoft says that it has fixed most of the Windows vulnerabilities in a recent Shadow Brokers data dump of purported NSA hacking tools. Nine zero-day flaws used in Shadow Brokers' exploits were patched in March; three others were not reproducible on supported platforms and were not patched. Microsoft's actions have piqued curiosity: the nine flaws patched in March mention no source for disclosure, leading some to speculate that the NSA disclosed the flaws to Microsoft.

[Editor Comments]

[Ullrich] Microsoft was a bit slow reacting to the release of Friday's tools. But it is good to see that they likely have worked behind the scenes after the release of the tools became inevitable, to patch these vulnerabilities. Still, the fact that the March update claimed for example that the vulnerability was not yet being exploited may have delayed the patch in many organizations. A responsible vendor must provide accurate assessments of the exploitability of vulnerabilities to allow customers to correctly prioritize patches. The respective security bulletin still hasn't been updated yet to reflect the fact that these vulnerabilities are actively being exploited (and were exploited at the time the bulletin was released).

[Northcutt] This is an important story. In some ways Harold Martin mirrors the Snowden story, in fact, they both worked for the same defense contractor. And while the Microsoft story is a great cat and mouse story, the weaponized cybertools that gave NSA deep access into the financial system including SWIFT are even more interesting:

Microsoft has blocked computers running Windows 7 and 8.1 with new processors from receiving updates. Microsoft announced the change in January 2016, when it noted that making the older operating systems run on the newer processors was "challenging." However, some Windows 7 and 8.1 systems running AMD Carrizo chips were also blocked from receiving updates when they should not have been. Supporters of this decision say that the new updates are blocked because they haven't been tested for that configuration.

[Editor Comments]

[Williams] The inevitable outcome of this security disaster is that organizations will upgrade hardware because of purchasing cycles programmed long ago and then skip software patches.

Documents released by Shadow brokers suggests that the NSA may have accessed EastNets, Dubai-based company that helps manage SWIFT transactions for dozens of banks and companies in the Middle East. EastNets has denied that its systems were breached.

Old Systems Need People Who Know How to Fix Them
(April 10, 2017)

Some COBOL-based systems, built in the 1970s and 1980s, are still in use at financial firms, large corporations, and government. New apps and tools written in modern languages and still must interact seamlessly with the old systems. The number of people equipped to address problems with those systems is diminishing. While the cost of addressing operational and interoperability issues may be high, it is less than the cost of completely replacing the old systems. IBM has created training programs to teach young developers the old language.

[Editor Comments]

[Murray] Business does not "run" old code. Old code runs the business. Like it or not, applications have a finite useful life. It Is important to know what it is and to have a plan for what to do at the end of the application's life.